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© Digital signature method and key agreement method. 



® A digital signature method based on the discrete 
logarithm problem is provided that allows message 
recovery. The message x is transformed according 
to the rule e = x g-r mod p, where r is a secret 
value generated by the signer. A value y is then 
calculated according to the rule y = r + se mod q, 
where s is the signer's secret key. The signature of 
x consists of the pair (e,y). The verifier recovers the 
message x according the the rule x = gy ke e mod 
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p t where k is the signer's public key. The validation 
of x can be based on some redundancy contained in 
x. Alternatively, a conventional verification equation 
can be constructed by using the signature method 
together with a hash function H. In addition, a key 
agreement method based on the signature method is 
provided which establishes with a single transmis- 
sion pass a shared secret key K between two parties 
A and B in an authenticated fashion. 
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Background of the Invention 
Field of the Invention 

The invention relates to a method for generat- 
ing and verifying a digital signature of a message. 
The field of this invention is data integrity and in 
particular generating and verifying a digital signa- 
ture for a message or data file. The inventive 
method can also be used to establish a shared 
secret key between two parties. 

The invention also relates to an apparatus for 
generating and/or verifying a digital signature. 

Background Art 

When a message is transmitted from one party 
to another, the receiving party may desire to deter- 
mine whether the message has been altered in 
transit. Furthermore, the receiving party may wish 
to be certain of the origin of the message. It is 
known in the prior art to provide both of these 
functions using digital signature methods. Several 
known digital signature methods are available for 
verifying the integrity of a message. These known 
digital signature methods may also be used to 
prove to a third party that the message was signed 
by the actual originator. Several attempts have 
been made to find practical public key signature 
schemes that are based on the difficulty of solving 
certain mathematical problems to make alteration 
or forgery by unauthorized parties difficult. Most of 
the proposed schemes have been based either on 
the problem of factoring large integers or on the 
difficulty of computing discrete logarithms over 
finite fields (or over finite groups in general). For 
example, the Ri vest-Sham ir-Adleman system de- 
pends on the difficulty of factoring large integers 
(see "A method for obtaining digital signatures and 
public key cryptosystems". Communications of the 
ACM, Feb. 1978, Vol. 21, No. 2, pp. 120-126) 

In 1985 Taher El-Gamal proposed a signature 
scheme based on the discrete logarithm problem 
(see "A Public Key Cryptosystem and a Signature 
Scheme Based on Discrete Logarithms," IEEE 
Trans, on Inform. Theory, vol. IT-31, pp. 469-472, 
July 1985). In 1987 Chaum, Evertse and Van de 
Qraaf proposed a zero-knowledge identification 
protocol based on the discrete logarithm problem. 
1989 Schnorr proposed a modification of that pro- 
tocol to obtain an efficient identification and signa- 
ture scheme (see CP. Schnorr, "Efficient Iden- 
tification and Signatures for Smart Cards", Pro- 
ceedings of Crypto'89, Springer-Verlag 1990. pp. 
239-252 and European Patent Application EP 0 384 
475 A1). 1991 the National Institute of Standards 
and Technology (NIST) proposed the "Digital Sig- 
nature Method" that combines some features of 



EIGamal's and Schnorr's schemes (see Worldwide 
Patent WO 93/03562). 

There are digital signature schemes that allow 
text recovery, that is, the original message can be 

5 recovered from the signature itself. Then it is un- 
necessary to send the message along with the 
signature. There are other signature schemes that 
do not allow text recovery but instead require the 
message or a hash value of the message in the 

io verification process. All the described signature 
" schemes based on the discrete logarithm problem 
have the property that from the signature the origi- 
nal message is no longer recoverable. With these 
systems it is necessary to send the message along 

75 with the signature. While any signature system that 
allows text recovery can be converted into a signa- 
ture system with text hashing, the converse is not 
true. 

20 Summary of the Invention 

The goal of the present invention is therefore to 
provide an efficient digital signature method avoid- 
ing at least some of the disadvantages described 
25 above. 

This digital signature method can be used in 
both message, recovery and message hashing 
mode. Clearly, when message recovery is possible, 
the original message need not be transmitted or 
30 stored together with the digital signature, which 
allows to improve the efficiency of the transmission 
or the storage. 

This goal is reached by the method described 
in claim 1. 

35 This method requires a pair of corresponding 
public and secret keys (k and s) for each signer. 

In a preferred embodiment the message x is 
transformed according to the rule e = x g" r mod p, 
where r is a secret value generated by the signer. 

40 A value y is then calculated according to the rule y 
= r + s e mod q. The signature of x consists of 
the pair (e.y) and is then transmitted. The receiving 
party of the signature uses a retransformation pro- 
cess to recover the message x. The received sig- 

45 nature (e.y) is transformed according to the rule x 
= g y k 6 e mod p thereby providing the original 
message x for legitimately executed signatures. 
The validation of x can be based on some redun- 
dancy contained in x. Alternatively, a conventional 

so verification equation can be constructed by using a 
hash function H, transforming H(x) using the signa- 
ture scheme and sending x along with the signa- 
ture (e,y), recovering H(x) at the receiver using the 
retransformation equation and comparing it with the 

55 locally computed hash value of the received mes- 
sage x. 

Such a signature system allows completely 
new applications, such as the key agreement meth- 
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od also described in the present invention. 

This key agreement method establishes with a 
single transmission pass a shared secret key K 
between two parties A and B in an authenticated 
fashion. It requires that both parties have a pair of 
corresponding public and secret keys (k A , s A and 
k B , s B , respectively). Party A chooses a special key 
agreement message x = g R mod p, signs it using 
the above signature method and transmits the re- 
sulting signature (e,y) to party B. Party B recovers 
the key agreement message using the ^transfor- 
mation process of the signature method. With a 
little additional computation both parties are now 
able to establish the shared key K. Party A com- 
putes K = k B " mod p and party B computes K = 
(g R ) ~ sB mod p. Both arrive at the same value K 
since k B = g~ s8 mod p. 

Clearly, when text recovery is possible, the 
original message need not be transmitted or stored 
together with the digital signature, which allows to 
improve the efficiency of the transmission or the 
storage. Finally, a signature system with text recov- 
ery can always be run in text hashing mode without 
loss of efficiency, when the application demands 
signatures with text hashing. 

Brief Description of the Drawings 

Other advantages and applications of the in- 
ventive method will become apparent from the fol- 
lowing description of preferred embodiments, 
wherein reference is made to the following figures: 
Fig. 1 shows the signer's part of the digital 
signature method of the present invention, 
Fig. 2 shows the verifier's part of the digital 
signature method of the present invention, 
Fig. 3 shows the key agreement protocol based 
on the signature method of the present inven- 
tion. 

Detailed Description of the Invention 

Referring now to Figs. 1, 2 where the digital 
signature method is shown. 

Within the preferred digital signature method of 
the present invention each user has to obtain three 
numbers p, q and g. The value p is a large prime 
modulus with p > 2 512 , the value q is a large prime 
divisor of (p-1) , and the value g is an element of 
multiplicative order q modulo p. That is, g ! = 1 
mod p if and only if t is an integer multiple of q. 
The triple (p.q.g) may be common to all users of 
the signature method, or may be chosen by each 
user independently. 

The execution of the signature method begins 
at start terminal 10. 

For every message a user wishes to sign, the 
user first selects secretly and randomly an integer r 



such that 0 < r < q (block 15). 

Then in block 20 the value u = g" r mod p is 
calculated. 

Block 25 denotes the input message x. In order 
5 to be recoverable by the receiver, the message x 
must be an integer between 0 and p. If the original 
message is larger than p, it can be subdivided into 
data blocks of size smaller than p. It is known in 
the art how to convert a message into a block 
70 representation where each block has a size smaller 
than some given integer value. 

In block 30 the message x is transformed into 
value e using the equation 

75 e = x u mod p 

where u is the quantity already computed in 
block 20.Since the value u does not depend on the 
message it can be computed prior to knowledge of 

20 the message x. In general, e may be computed as 
e = f(x,u) where the function f has the property 
that, given the values e and u, then the message x 
is easily recovered. One such function f is the 
multiplication of x times u modulo p shown in block 

25 30. Other examples of such a function are e = x + 
u mod p and e = x xor u, where xor denotes the 
bitwise addition of x and u. 

Block 35 denotes the private signature key s of 
the signer, where 0 < s < q. The value of s is 

30 secretly chosen in advance to the execution of the 
signature method. It may be selected by the signer 
itself or by some trusted party which conveys s in 
a secret and authenticated way to the signer. The 
private signature key s is fixed for all messages to 

35 be signed by the signer. 

The signature method proceeds to block 40, 
where the value of y is determined according to the 
rule 

40 y = r + se mod q 

The values e (determined in block 30) and y 
(determined in block 40) constitute the signature of 
message x. They are transmitted to the recipient as 

46 shown in block 45. 

The connector 50 denotes the finishing of the 
signer's part and serves as reference for the con- 
tinuation of the signature method at the recipient, 
i.e. the verifier. 

so After receiving the signature (e.y), as indicated 
in block 100, the recipient must recover the mes- 
sage x and verify the signature. For that purpose 
the recipient must know the values g, p and q used 
by the signer. 

55 In block 105 the verifier computes the quantity 

g y mod p. 

Block 115 denotes the signer's public key k, 
which corresponds to the private signature key s 
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through the rule k = g" s mod p. This public key k 
and the identity of the signer must be made avail- 
able in an authenticated fashion to the recipient of 
the signature (e.y). By possession of the public key 
k of the signer the verifier can then determine that 
the signature was originally created by that user 
who had knowledge of the private key s which 
corresponds to the particular value of k. If s has not 
been compromised, the signer's identity is linked 
to the public key y in an authenticated fashion. 

In block 110 the verifier computes, using the 
signer's public key k, the inverse of the value u 
using the equation 

u" 1 = g y k a mod p 

In block 120 the verifier recovers the message 
x using the equation 

x = u" 1 e mod p (1) 

Block 120 shows the recovery operation when 
the function f to compute e from x and u was 
chosen to be multiplication modulo p (see block 
30). The recovery transformation (1) will vary de- 
pending on the function f chosen for the calculation 
of e. For example, if f was chosen to be e = x + u 
mod p, then the recovery transformation (1) be- 
comes x = e - (u~ 1 )" 1 mod p. Or, if f was chosen 
to be e = x xor u then the recovery transformation 
(1) becomes x = exor^" 1 )" 1 . 

If the digital signature (e.y) was a genuine one 
and was received by the recipient in an unmodified 
or undistorted way, then equation (1) yields the 
correct value of the message x. If, however, the 
digital signature received was a forged one or was 
modified or distorted in any way during the trans- 
mission, then equation (1) will yield a different 
value x\ It will be understood by those skilled in 
the art that, by the nature of the retransformation 
equation (1), any redundancy contained originally 
in x will no longer be accessible in x\ Therefore, if 
immediate verification of the signature is desired, 
the verifier must inspect (block 130) the message x 
for the redundancy contained in it. The redundancy 
may be natural (for example, caused by the lan- 
guage in use) or artificial (for example, by some 
formatting rules imposed on x or by addition of 
some check values). If the redundancy check is 
successful, then the signature and the contained 
message x are accepted by the verifier as genuine. 
If the redundancy check fails, then the signature 
and the contained message x are rejected. 

It will be understood by those skilled in the art 
that the present invention can also be used in what 
is called the hashing mode. Then, instead of trans- 
forming the message x itself to yield the quantity e 
(as indicated in block 30), a hash value H(x) of the 



message x is used for the computation. A hash 
function H takes an arbitrary length message as 
input and yields a fixed length hash value as out- 
put. The hash value H(x) must now satisfy the 
5 requirement 0 < H(x) < p, and x may have arbitrary 
length. The value of e is now determined as 

e = H(x) u mod p 

10 and in block 45 the message x has to be 
transmitted along with the signature, i.e. the triple 
(x. (e,y)) has to be transmitted to the recipient. The 
hash function H must be collision-resistant for the 
signature method to retain its qualities in hashing 

75 mode. That is, it must be computationally infeasibie 
to find two messages x and x' such that H(x) = H- 
(x') g* mod p for an arbitrary integer t. 

The verifier proceeds as described until it re- 
covers H(x) in block 120 (instead of x). To verify 

20 the signature, the verifier now applies the hash 
function H to the received message x and com- 
pares it with the recovered hash value from block 
120. If both hash values are equal, the signature is 
accepted, if the two hash values differ, the signa- 

25 ture is rejected. 

It will be understood by those skilled in the art 
that the signs of certain values can be changed 
without changing the subject matter of this signa- 
ture method. For example, the sign of the value r 

30 may be inverted such that in block 20 the value u 
is calculated according to the rule u = g r mod p 
and in block 40 the value y is calculated according 
to the rule y = -r + se mod q. Similarly, the sign 
of the value s may be inverted such that in block 

35 40 the value y is calculated according to the rule y 
= r - se mod q and in block 115 the public key k 
is congruent to g s mod p. 

Referring now to Fig. 3, there is shown the key 
agreement method of the present invention. For the 

40 key agreement method the two users A and B who 
wish to establish a shared secret key must use a 
common set of values p, q, and g as described in 
the signature method of the present invention. 
The execution of the key agreement method 

45 begins at start terminal 21 0. 

User A first selects secretly and randomly two 
integers R and r such that 0 < R, r < q (block 215). 

Then in block 220 the value e = g R ~ r mod p is 
calculated. 

so Block 225 denotes the private key agreement 
key s A of user A, where 0 < s A < q. The value of 
s A is secretly chosen in advance to the execution 
of the key agreement method, it may be selected 
by user A itself or by some trusted party which 

55 conveys s A in a secret and authenticated way to 
user A. The private key agreement key s A is fixed 
for all executions of the key agreement method. 
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The key agreement method proceeds to block 
230, where the value of y is determined according 
to the rule 

y = r + s A e mod q. 

Block 235 denotes user B's public key agree- 
ment key k B corresponding to the private key 
agreement key s B through the rule k B = g" sB mod 
p. User B's identity and public key k B must be 
made available in an authenticated fashion to user 
A. 

The key agreement method proceeds to block 
240, where the value of the shared secret key K is 
determined according to the rule 

K = k B R mod p. 

The values e (determined in block 220) and y 
(determined in block 230) constitute the key agree- 
ment token. They are transmitted to the recipient 
as shown in block 245. 

The connector 250 denotes the finishing of 
user A's part and serves as reference for the 
continuation of the key agreement method at the 
recipient, i.e. user B. 

After receiving the key agreement token (e.y), 
as indicated in block 300, the recipient B must 
recover the value g R mod p and compute the 
shared secret key K. 

In block 305 the verifier computes the quantity 
g y mod p. 

Block 315 denotes user A's public key agree- 
ment key k A corresponding to the private key 
agreement key s A through the rule k A = g -sA mod 
p. User A's identity and public key k A must be 
made available in an authenticated fashion to user 
B. 

In block 310 the recipient B computes, using 
the sender's public key k At the quantity k A « mod p. 

In block 320 the recipient B recovers the value 
g R mod p using the equation 

g R = g y k A 6 e mod p 

Block 325 denotes the private key agreement 
key s B of user B, where 0 < s B < q. The value of s B 
is secretly chosen in advance to the execution of 
the key agreement method. It may be selected by 
user B itself or by some trusted party which con- 
veys s B in a secret and authenticated way to user 
B. The private key agreement key s B is fixed for all 
executions of the key agreement method. 

The key agreement method proceeds to block 
330. where the value of the shared secret key K is 
determined according to the rule 

K = (g R ) - $B mod p. 



Note that the same key K results from different 
computations at the sender A and at the recipient 
B, since 

5 

K = k B R mod p 

= g-SB R mod p 
= (g R ) ~ S B mod p 

w 

The key K is only known to the sender A and 
the receiver B since at both sides a secret value 
was used: sender A used the secret value R and 
is recipient B used the secret value s B . The key K is 
also authenticated to both sender and recipient, 
since the key token (e,y) transmitted from A to B 
was actually A's signature of the message g R mod 
p and since B used the private key agreement key 

20 s B to compute the shared key K. 

It will be understood by those skilled in the art 
that the signs of certain values can be changed 
without changing the subject matter of this key 
agreement method. For example, the sign of the 

25 value r may be inverted such that in block 220 the 
value e is calculated according to the rule e = g R+r 
mod p and in block 230 the value y is calculated 
according to the rule y = -r + s A e mod q. Simi- 
larly, the sign of the value R may be inverted such 

30 that in block 220 the value e is calculated accord- 
ing to the rule e = g~ R ~ r mod p, in block 240 the 
value K is calculated according to the rule K = 
k B " R mod p, in block 320 the value g" R mod p is 
recovered, and in block 330 the value K is cal- 

35 culated according to the rule K = (g~ R )~ sB . Also 
similarly, the signs of the private keys s A and s B 
may be inverted such that in block 230 the value y 
is calculated according to the rule y = r - s A e mod 
q. in block 330 the value K is calculated according 

aq to the rule K = (g^ 58 , and in blocks 235 and 315, 
A's and B's public keys k A and k B are chosen to be 
congruent to g 8 * mod p and g* 8 mod p, respec- 
tively. All these sign changes are independent of 
each other. They can be combined as desired. 

45 The signature method and the key agreement 
method have been described in the setup of a 
finite field defined by arithmetic modulo p, also 
called the Galois Field with p elements and de- 
noted GF(p). In the multiplicative group of GF(p) 

so the discrete logarithm problem is difficult to solve. 
It will be understood by those skilled in the art that 
there are other cyclic groups which can equiv- 
alent^ be used as the basis for the present inven- 
tion. For example, the extension field GF(p n ) de- 

55 fined by arithmetic modulo an irreducible polyno- 
mial of degree n with coefficients modulo p or the 
cyclic group defined by an elliptic curve over a 
finite field could be used as the setup for the 
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present invention. In principle, any cyclic group in 
which the discrete logarithm problem is difficult to 
solve, may serve as a basis for the present inven- 
tion. 

The inventive signature method and the key 
agreement method can be implemented in software 
and/or hardware by a person skilled in the art. An 
apparatus can e.g. be provided for creating the 
signature of a given message and transferring it to 
a second apparatus for verifying and retrieving the 
message. 

Although the present invention has been shown 
and described with respect to specific preferred 
embodiments and variants thereof, it will be appar- 
ent that changes and modifications can be made 
without departing from what is regarded the subject 
matter of this invention. 

Claims 

1. A method for generating and verifying a digital 
signature e,y of a message x. comprising the 
following steps for generating the signature: 

a. providing a secret and random value r; 

b. providing a public value g; 

c. calculating a corresponding value u pro- 
ceeding from a prime modulus p according 
to the rule 

u = g" r mod p; 



d. calculating said value e from said mes- 
sage x and said value u according to the 
rule e = f(G(x), u), wherein G(x) is a value 
derived from said message x and f is such 
that G(x) can be calculated from e and u 
using a function h(u~\ e) = G(x); 

e. calculating said value y proceeding from 
a value q f selected to be a divisor of p-1, 
according to the rule 

y = r + se mod q 

where s is a secret value; 

said method further comprising the fol- 
lowing steps for verifying said signature e.y: 

f. calculating the inverse of said vaJue u 
according to the rule 

u~ 1 = g y k* mod p 

where k is congruent to g' s mod p and said 
value s is a secret value; 

g. reconstructing G(x) from u~ 1 and e ac- 
cording to the rule 

G(x) = h(u"\ e) 



h. verifying the validity of said signature e.y. 

5 2. The method of claim 1 , wherein G(x) = x and 
wherein step h comprises the verification of a 
natural or artificially inserted redundancy in x. 

3. The method of claim 1 , wherein G(x) is a hash 
10 value H(x) computed by applying a hash func- 
tion H to said message x and wherein step h 
comprises the verification of said signature by 
comparison of G(x) as obtained in step g with 
the value obtained from applying H to the 

75 message x directly. 

4. The method of any of the preceding claims, 
wherein 

20 f(G(x), u) = G(x) u mod p and 
h(u~\ e) = u" 1 e mod p, 

or wherein 

25 f(G(x). u) = G(x) + u mod p and 

h(u~\ e) = e - u mod p, 

or wherein 

30 f(G(x), u) = G(x) xor u and 
h(u~\ e) = e xor u. 

5. The method of any of the preceding claims, 
wherein the sign of r and/or the sign of s are/is 

35 negative. 

6. Method for generating and testing a digital 
signature e.y of a message x, especially ac- 
cording to any of the preceding claims, 

40 wherein the arithmetic modulo p is replaced by 

any other equivalent arithmetic, such as 
arithmetic in an extension field, arithmetic on 
an elliptic curve over a finite field, etc., where 
the discrete logarithm problem is difficult to 

45 solve. 

7. A method for generating a digital signature 
according to any of the preceding claims. 

so 8. Apparatus for carrying out the method of claim 
7. 

9. A method for verifying a digital signature ac- 
cording to any of the claims 1-6. 

55 

10. Apparatus for carrying out the method of claim 
9. 
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11. A method for establishing a shared secret key 
K between two parties A and B, comprising the 
steps of: 

a. providing to party A two secret and ran- 
dom values r and R; 5 

b. providing a public value g; 

c. calculating by party A the value e pro- 
ceeding from a prime modulus p according 
to the rule 

w 

e = g R ~ r mod p; 



d. calculating the value y proceeding from a 
divisor q of p-1 according to the rule ;s 

y = r + s A e mod q 

where s A is a secret value only known by 
party A; 20 

e. calculating by party A said shared, key K 
according to the rule 

K = k B R mod p 

25 

where k B is congruent to g" sB mod p and 
said value s 9 is a secret value only known 
by party B; 

f. transmitting by party A to the recipient B 

the key token e,y containing said values e 30 
and y; 

g. receiving by party B said key token e,y; 

h. reconstructing by party B the value g R 
mod p according to the rule 

35 

g R = gy k A 9 e mod p 

where k A is congruent to g" 3 * mod p and 
said value s A is a secret value only known 
by party A; 40 

i. calculating by party B said shared key K 
according to the rule 

K = (gV B mod p 

45 

where s B is a secret value only known by 
party B. 

12. The method of claim 11, where in step c and d 
the sign of said value r is inverted, and/or 50 
where in step c, f, h and i the sign of said 
value R is inverted, and/or where in steps e, f, 
h and/or i the sign of said values s A and s B are 
inverted. 

56 
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* page 242, line 28 - page 243, line 11 * 

COMPUTER 

vol. 16, no. 2 , February 1983 , LONG 
BEACH US 
pages 55 - 62 

0. DAVIES 'APPLYING THE RSA DIGITAL 
SIGNATURE TO ELECTRONIC MAIL' 

* page 55, right column, last paragraph - 
page 56, left column, paragraph 1 * 

* page 56, left column, line 44 - line 49 



PROCEEDINGS OF THE 25TH ANNUAL 1991 IEEE 
INTERNATIONAL CARNAHAN CONFERENCE ON 
SECURITY TECHNOLOGY 1 October 1991 , NEW 
YORK 

pages 145 - 148 

SUN ET AL. 'AN EFFICIENT PROBABILISTIC 
PUBLIC-KEY BLOCK ENCRYPTION AND SIGNATURE 
SCHEME BASED ON EL-GAMAL'S SCHEME' 

* page 146, left column, line 19 - right 
column, line 4 * 
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